Categories
Uncategorized

Describe device-specific features used by the application, wireless transmission protocols,data transmission media, interaction with hardware components, and other applications.

Threat Model Report
TASK: To write 9 to 10-page double-spaced Word document with citations in APA format.
The report should include your findings and any recommendations for mitigating the threats
found.
Step 1: Describe Your Mobile Application Architecture

  1. Describe device-specific features used by the application, wireless transmission protocols,
    data transmission media, interaction with hardware components, and other applications.
  2. Identify the needs and requirements for application security, computing security, and device
    management and security.
  3. Describe the operational environment and use cases.
  4. Identify the operating system security and enclave/computing environment security
    concerns, if there are any.
    Address the following questions:
  5. Include an overview of topics such as mobile platform security, mobile protocols and
    security, mobile security vulnerabilities, and related technologies and their security, in your
    report.
  6. Include the Mobile Application considerations that are relevant to your mobile application
  7. What is the design of the architecture (network infrastructure, web services, trust boundaries,
    third-party APIs, etc.)?
  8. What are the common hardware components?
  9. What are the authentication specifics?
  10. What should or shouldn’t the app do?
    References:
    Mitchell, J. (2016), Mobile platform security models. https://crypto.stanford.edu/cs155/lectures/
    17-mobile-platforms.pdf
    Open Web Application Security Project (OWASP). (2016). Mobile top 10 2016-top 10. https://
    www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
    US Department of Homeland Security. (n.d.). Mobile security R&D program guide. https://
    www.dhs.gov/sites/default/files/publications/CSD 2016 Mobile Security R%26D Program Guide
    Vol 1.pdf
    Mobile Application and Architecture Considerations:
    Use this form to review the various architecture considerations for mobile applications and
    architecture.
    Note: Not all of the following may apply to your mobile app. You will need to address only those
    areas that apply to the particular application you have chosen.
  11. What is the design of the architecture (network infrastructure, web services, trust boundaries,
    third-party APIs, etc.)?
    Carrier
    • Data
    • SMS
    • Voice
    Endpoints
    • Web Services
  • RESTful or SOAP-based
  • Third Party (Example: Amazon)
    • Websites
  • Does the app use or integrate the “mobile web” version of an existing web site?
    • App Stores
  • Google Play
  • Apple App Store
  • Windows Mobile
  • BlackBerry App Store
    • Cloud Storage
  • Amazon/Azure
    • Corporate networks (via VPN, SSH, etc.)
    Wireless interfaces
    • 802.11
    • NFC
    • Bluetooth
    • RFID
    Device
    • App layer
    • Runtime environment (VM, framework dependencies, etc.)
    • OS platform
    Apple iOS
    Android
    Windows Mobile
    BlackBerry
    • Baseband
  1. What are the common hardware components?
    A. GPS
    B. Sensors (accelerometer)
    C. Cellular radios (GSM/CDMA/LTE) o Flash memory
    D. Removable storage (i.e.- SD)
    E. USB ports
    F. Wireless interfaces
  • 802.11
  • Bluetooth
  • NFC
  • RFID
    G. Touch screen
    H. Hardware keyboard o Microphone
    I. Camera
  1. What are the authentication specifics?
  2. Method
  • Knowledge-based
  • Token-based
  • Biometrics
  1. Input Type
  • Keyboard
  • Touch screen
  • Hardware peripheral
  1. Decision Process
  • Local (on device)
  • Remote (off device)
    Step 2: Define the Requirements for Your Mobile Application
  1. What is the business function of the app?
  2. What data does the application store/process (provide data flow diagram)?
    • The diagram outlines network, device file system, and application data flows
    • How are data transmitted between third-party APIs and app(s)?
    • Will there be remote access and connectivity? Read this resource about mobile VPN
    security, and include any of these security issues in your report.
    • Are there different data-handling requirements between different mobile platforms? (iOS/
    Android/Blackberry/Windows/J2ME)
    • Does the app use cloud storage APIs (e.g., Dropbox, Google Drive, iCloud, Lookout) for
    device data backups
    • Is there specific business logic built into the app to process data?
  3. What does the data give you (or an attacker) access to? Think about data at rest and data in
    motion as they relate to your app.
    • Do stored credentials provide authentication?
    • Do stored keys allow attackers to break crypto functions (data integrity)?
  4. Are third-party data being stored and/or transmitted?
    • What are the privacy requirements of user data? Consider, for example, a unique device
    identifier (UDID) or geolocation being transmitted to a third party.
    • Are there user privacy-specific regulatory requirements to meet?
  5. How do other data on the device affect the app? Consider, for example, authentication
    credentials shared between apps.
  6. Compare between jailbroken (i.e., a device with hacked or bypassed digital rights software)
    and non-jailbroken devices.
    • How do the differences affect app data? This can also relate to threat agent identification.
    References
    Frankel, S., Kent, K., Lewkowski, R., Orebaugh, A. D., Ritchey, R. W., & Sharma, S. R.
    (2005). Guide to IPsec VPNs (Special Publication 800-77). National Institute of Standards and
    Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/
    nistspecialpublication800-77.pdf
    Frankel, S., Hoffman, P., Orebaugh, A., & Park, R. (2008). Guide to SSL VPNs (Special
    Publication 800-113). National Institute of Standards and Technology. US Department of
    Commerce. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-113.pdf
    Vesperman, J. (2002). Introduction to securing data in transit. http://www.tldp.org/REF/INTRO/
    SecuringData-INTRO.pdf
    Scarfone, K., Souppaya, M., & Sexton, M. (2007). Guide to storage encryption technologies for
    end user devices: Special Publication 800-111.. National Institute of Standards and Technology.
    http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf
    Step 3: Identify Threats and Threat Agents
  7. Identify possible threats to the mobile application and Threat agents
  8. Outline the process for defining what threats apply to your mobile application
  9. Outline the process for defining what threats apply to your mobile application
    Threat Agent Identification Example
    • Identifying Threat Agents
    The process of identifying a threat agent:
  10. Take the list of all sensitive data (or information to protect) listed in Section 2.
  11. Make a list of the different ways to access this data.
  12. Create a list of the different agents (i.e., persons, technologies, and processes)
    that could be used to access the data. These are your threat agents.
    One way to understand how to identify threat agents is to use an example of a financial
    application, specifically a banking application. Following the identification process as previously
    stated:
  13. Sensitive data present in the application has been listed as: beneficiary details stored in
    some form in the phone application memory and user credentials used for authentication
    transmitted to the server.
  14. List the various ways of accessing information: A. Beneficiary details:
    i. A device user aiming to browse through the memory card/phone memory
    ii. An adversary using a jailbroken phone; starts reading the content through putty/
    WinSCP via SSH
    iii. An adversary while sniffing the Wi-Fi traffic sniffs the content travelling through
    the network
    iv. Another malicious application while reading the phone memory contents,
    stumbles upon this data as the device is jailbroken
    v. Another application which is sending data through SMS sends this data.
    vi. A Web application executing a script on the browser tries to steal the phone
    memory and send it to its server.
  15. From the above points, we list the medium used:
    A. Any user who has the device (stolen device/friend/etc.)
    B. Any malicious application (installed/web-based script)
    C. An adversary sniffing the Wi-Fi.
    From the above example, management should have a clear picture on how to identify threat
    agents. Below is a list of possible threat agents identified while analyzing commonly used
    applications.
    Listing of Threat Agents – By Category
    Human Interaction
    • Stolen Device User: A user who obtained unauthorized access to the device aiming to get the
    memory-related sensitive information belonging to the owner of the device.
    • Owner of the Device: A user who unwillingly has installed a malicious phone application that
    gains access to the device application memory.
    • Common Wi-Fi Network User: This agent is aimed at any adversary intentionally or
    unintentionally sniffing the Wi-Fi network used by a victim. This agent stumbles upon all the
    data transmitted by the victim device and may reuse it to launch further attacks.
    • Malicious Developer: A human user who has the intent of writing an application that not only
    provides a commonly known function like gaming/calculator/utility in the foreground but
    steals as much information from your device as possible in real time and transmits it to the
    malicious user. This agent can also be looked at an angle from which he or she codes an app to
    perform DOS by using up all the device resources.
    • Organization Internal Employees: Any user who is part of the organization (may be a
    programmer/admin/ user/ etc.). Anyone who has privileges to perform an action on the
    application.
    • App Store Approvers/Reviewers: Any app store which fails to review potentially dangerous
    code or malicious application that executes on a user’s device and performs suspicious/
    malicious activities.
    Automated Programs
    • Malware on the device: Any program/mobile application that performs suspicious activity. It
    can be an application that is copying real-time data from the user’s device and transmitting it to
    any server. This type of program executes parallel to all the processes running in the
    background and stays alive, performing malicious activity all the time, e.g. Olympics App,
    which stole text messages and browsing history:[2]http://venturebeat.com/2012/08/06/
    olympics-android-app/

• Scripts executing at the browser with HTML5: Any script code written in a language similar
to JavaScript having capability of accessing the device-level content falls under this type of
agent section. A script executing at the browser reading and transmitting browser memory data/
complete device level data.
• Malicious SMS: An incoming SMS redirected to trigger any kind of suspicious activity on the
mobile device. There are multiple services that keep running in the background. Each of these
services has listeners which might be active to listen for the content of an incoming SMS. An
SMS message may be a sort of trigger for the service to perform some suspicious activity.
• Malicious App: Failure to detect malicious or vulnerable code and the likelihood of a
compromise or attack against the app store itself, potentially turning legitimate code into
hostile things including updates and new downloaded apps.
Step 4: Identify Methods of Attack
• Provide senior management an understanding of the possible methods of attack of your app.
Cyberattacks
Cyberattacks refer to attacks launched against computer systems, networks, and infrastructure
with the intention of committing theft of sensitive data, gaining unauthorized access, and sniffing
passwords. These attacks are implemented by individuals, groups, or states and may use
malicious software like viruses and worms. The problem of cyberattacks has been acknowledged
by the National Institute of Standards and Technology (Johnson et al., 2016).
Cyberattacks have increased in frequency and sophistication, resulting in significant challenges
for organizations in defending their data and systems from capable threat actors. These actors
range from individual, autonomous attackers to well-resourced groups operating in a coordinated
manner as part of a criminal enterprise or on behalf of a nation-state. These actors can be
persistent, motivated, and agile, and they employ a variety of tactics, techniques, and procedures
(TTPs) to compromise systems, disrupt services, commit financial fraud, and expose or steal
intellectual property and other sensitive information. (p. 1)
Cyberattacks can be prevented or their risks minimized if organizations that have faced attack
share information with others so that they can deploy resources to combat the threat.
References
Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Computer security:
Guide to cyber threat information sharing: Special Publication 800-150, 2nd draft. National
Institute for Standards and Technology. http://csrc.nist.gov/publications/drafts/800-150/
sp800_150_second_draft.pdf
Step 5: Consider Controls

  1. What are the controls to prevent an attack? Conduct independent research, then define these
    controls by platform (e.g., Apple iOS, Android, Windows Mobile, BlackBerry).
  2. What are the controls to detect an attack? Define these controls by platform.
  3. What are the controls to mitigate/minimize impact of an attack? Define these controls by
    platform.
  4. What are the privacy controls (i.e., controls to protect users’ private information)? An
    example of this would be a security prompt for users to access an address book or
    geolocation.
  5. Create a mapping of controls to each specific method of attack (defined in the previous step)
    ◦ Create a level of assurance framework based on controls implemented. This would be
    subjective to a certain point, but it would be useful in guiding organizations that want to
    achieve a certain level of risk management based on the threats and vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *